CVE-2023-28154

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-28154
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28154.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-28154
Aliases
Related
Withdrawn
2024-05-15T05:32:53.483322Z
Published
2023-03-13T01:15:10Z
Modified
2023-11-29T10:03:14.953460Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

References

Affected packages

Git / github.com/webpack/webpack

Affected ranges

Type
GIT
Repo
https://github.com/webpack/webpack
Events
Introduced
610f36817af1f1c6929786d68f734ac582af1757
Fixed
97b1718720c33f1b17302a74c5284b01e02ec001

Affected versions

v5.*

v5.0.0
v5.1.0
v5.1.1
v5.1.2
v5.1.3
v5.10.0
v5.10.1
v5.10.2
v5.10.3
v5.11.0
v5.11.1
v5.12.0
v5.12.1
v5.12.2
v5.12.3
v5.13.0
v5.14.0
v5.15.0
v5.16.0
v5.17.0
v5.18.0
v5.19.0
v5.2.0
v5.2.1
v5.20.0
v5.20.1
v5.20.2
v5.21.0
v5.21.2
v5.22.0
v5.23.0
v5.24.0
v5.24.1
v5.24.2
v5.24.3
v5.24.4
v5.25.0
v5.25.1
v5.26.0
v5.26.1
v5.26.2
v5.26.3
v5.27.0
v5.27.1
v5.27.2
v5.28.0
v5.29.0
v5.3.0
v5.3.1
v5.3.2
v5.30.0
v5.31.0
v5.31.1
v5.31.2
v5.32.0
v5.33.0
v5.33.1
v5.33.2
v5.34.0
v5.35.0
v5.35.1
v5.36.0
v5.36.1
v5.36.2
v5.37.0
v5.37.1
v5.38.0
v5.38.1
v5.39.0
v5.39.1
v5.4.0
v5.40.0
v5.41.0
v5.41.1
v5.42.0
v5.42.1
v5.43.0
v5.44.0
v5.45.0
v5.45.1
v5.46.0
v5.47.0
v5.47.1
v5.48.0
v5.49.0
v5.5.0
v5.5.1
v5.50.0
v5.51.0
v5.51.1
v5.51.2
v5.52.0
v5.52.1
v5.53.0
v5.54.0
v5.55.0
v5.55.1
v5.56.0
v5.56.1
v5.57.0
v5.57.1
v5.58.0
v5.58.1
v5.58.2
v5.59.0
v5.59.1
v5.6.0
v5.60.0
v5.61.0
v5.62.0
v5.62.1
v5.62.2
v5.63.0
v5.64.0
v5.64.1
v5.64.2
v5.64.3
v5.64.4
v5.65.0
v5.66.0
v5.67.0
v5.68.0
v5.69.0
v5.69.1
v5.7.0
v5.70.0
v5.71.0
v5.72.0
v5.72.1
v5.73.0
v5.74.0
v5.75.0
v5.8.0
v5.9.0